Thursday, May 31, 2012

For 3 years a Canadian insurer failed to detect data privacy violations by one of their employees. The employee used his legitimate access to corporate applications to look at the private information of 12 customers without a "justifiable work purpose".

The insurer claims to have "internal processes that track access to [customer] records". So why did this employee's privacy violations go on for 3 years without being detected?

One clue is the the company's announcement which does not indicate HOW they caught the rogue employee just that the "breach of privacy was brought to the attention of the Commission’s Chief Executive and Privacy Officer". Perhaps the passive voice is being used because their "internal processes" were not the source of the discovery.

If the insurer was depending on employees to discover and report data privacy violations, it is not surprising it took years. A good Identity and Access Intelligence service would have caught the rogue employee 3 years earlier and demonstrated "Zero Tolerance" for breaches of customer data privacy.

Wednesday, May 30, 2012

A registered nurse wrote an insightful piece about what to do (or more importantly not do) when a healthcare collegue is a patient.

She speaks from first hand experience as she seen five terminations as a result of inappropriate in-house chart accesses, including one where it was her own medical privacy that was violated.

"Have a reason to open a chart or don’t do it. If you open it by accident, find out your facility’s procedure for documenting accidental chart accesses and use it. Don’t have time? Do you have time to find a new job?" - Megen Duffy, RN, BA, BSN, CEN

Her Advice to Her Peers

If you see a colleague is admitted to another floor do not go there to visit. You may have good intentions, but it’s still illegal.

If your coworker wants to tell you about her appendectomy, let her bring it up on her own time, just as if it happened at another hospital.

If you are curious about a coworker's lab results or medication history do not open the chart and look.

If your work friend is in the hospital, do not barge into the room to say hello. Act like a regular visitor and go through the proper channels

As she concludes - "Corporate compliance officers now routinely investigate chart accesses for all employees admitted to or seen through an institution. Names on the list who were not involved in the patient’s treatment have some ’splaining to do."

Download a white paper on automated chart access investigation. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Tuesday, May 29, 2012

Insight on the Potential Privacy Implications of Health Information Exchanges

An employee of a Connecticut medical practice used her computer privileges to access her estranged family's electronic medical records at a nearby hospital.

The victims became suspicious when the employee tried to use the information against them in a legal matter.

The victims then requested time consuming audits of all access to their medical records at both the medical practice and the hospital. This resulted in the discovery of at least 14 privacy breaches of their electronic medical records between 2007 and 2012.

"How does this go on for so long without her being caught? Now she knows things about my health that my own son doesn't know. That's creepy." - Victim of Patient Data Privacy Breach

Even though the victims were never patients of the perpetrator's medical practice, she was able to access another healthcare organization's medical record system to violate the medical privacy of her brother, sister-in-law, and nephew. This is an important case because the ability of a healthcare workers to access medical records at other healthcare organizations will expand dramatically with the introduction of Healthcare Information Exchanges (HIE).

Finally, more than two months after confirming the medical record breaches, the perpetrator was arrested on charges of committing a fifth-degree computer crime for the "unauthorized access to a computer system". This Class B misdemeanor has a maximum penalty is up to 6 months in prison and a fine of up to $1,000.

"Your records may be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations." - Privacy Rights Clearinghouse

The victim stated that both the medical practice and the hospital should have detected that her family's records were being accessed inappropriately long before she brought it to their attention. Their own patient privacy breach audits, she said, should have caused them to question why the perpetrator was accessing a relative's records and put an immediate stop to it.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

According to a survey of IT professionals at Infosecurity Europe the insider threat is still the largest factor facing organisations today.

71% of the people surveyed worry that it’s their own staff who pose the biggest threat to their data.

This far outweighs that of hackers (28%), consultants and other third parties (7%), and just 5% cited the government.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

The thieves file a return very early so they can receive the refund before the real taxpayer files. Often the refund is in the form of a hard-to-trace prepaid debit card (introduced by the government to help people without bank accounts). The fraudulent tax returns list vacant houses as the tax payers address so the criminals can pick up the refund in an untraceable fashion.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sunday, May 27, 2012

A police officer is accused of accessing the "Crimefile" computer system to violate the privacy of his wife's tenant. The officer is also accused of obtaining the personal information of a relative, without authority.

The person making the compliant said that the landlord of an apartment he wanted to rent told him that she knew about his criminal past. He said: "She told me ... everyone deserves a second chance and that was why she was letting me sign the lease."

The officer denies 11 charges under the Data Protection Act of accessing the Police Station computer system without the consent of the data controller, between October 1 and November 16 2009 and obtaining personal information without authority.

Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.

Saturday, May 26, 2012

A healthcare employee in Georgia improperly accessed patient information with the intent to file fraudulent tax returns. The employee appears to have stolen patient names, dates of birth, and social security numbers of patients treated between July 2005 and April 2012.

The healthcare firm's data security and audit controls appear to have missed the warning signs of data theft as the organizations says it only became unaware of the ongoing insider theft from law enforcement in April 2012.

"We have reinforced and refined our privacy policies and staff procedures for handling patient information with care to prevent such an incident from happening in the future.." - Company website

The employee has since been fired. No specifics have been released on how the organization will detect future breaches of patient privacy by insiders.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Friday, May 25, 2012

Over 228,000 Medicaid beneficiaries had their personal information stolen by a South Carolina employee of the Department of Health and Human Services. The employee allegedly gathered names, phone numbers, addresses, birth dates and Medicare ID numbers for us in identity theft

The cost is potentially millions of dollars of fines by federal and state agencies for not safeguarding the information properly on top of $800,000 to $1 million spent on credit protection services for the individuals affected.

The employee, a former member of the local Democratic Party executive committee, was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.

"An employee completely abused the information that they had and used it for personal gain. We’re going to make sure this does not happen again." - Gov. Nikki Haley

Governor Haley told her cabinet agency heads that supervisors at state agencies risk their jobs if they are not vigilant about security. “If (agencies) have a supervisor who has this happen on their watch, they will get fired,” she said.

The directory of the state's Health and Human Services said state employees inappropriately using information pose a greater threat than external hackers but he does not have a monitoring system that could have picked up on the breach.

Detect inappropriate access by authorized insiders, just like the one in this blog posting. Download a white paper on privacy breach detection monitoring service works with no hardware and no on-site software.

Thursday, May 24, 2012

A hospital in Massachusetts pays $750,000 over allegations it failed to protect its patients' personal and confidential health information including Social Security numbers, financial account numbers, and medical diagnoses.

In addition the hospital must undergo a review and audit of its security measures and to report the results and any corrective actions to the Attorney General.

"Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data." - Massachusetts Attorney General Martha Coakley

The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Wednesday, May 23, 2012

A customer service representative (CSR) misused customer-supplied credit card or bank account payment information. The CSR at the Alaskan telephone company is alleged to have used the customer information for personal purchases.

"This isn't a hacking or a situation where our electronics systems have been compromised. Just common thievery." - Company spokesperson

The telephone firm sent letters to about 400 customers recommending the customers check their accounts for unusual activity. The company believes fewer than 20 may have actually been affected.

Download a white paper on customer privacy breach detection. Learn how to proactively identify unauthorized breaches of customer data privacy, even by authorized users - with no hardware and no on-site software.

The Supreme Court ruling will not affect the deployment of electronic health record systems and the government's "meaningful use" program because the 2009 HITECH Act is an entirely separate piece of legislation from the 2010 Affordable Care Act, says Carla Smith, executive vice president of the Healthcare Information and Management Systems Society

"I think that what we're going to find is that even if it is struck down, these people are still going to make decisions and still buy EHRs." - Jennifer Covich Bordenick, CEO of the eHealth Initiative

Tuesday, May 22, 2012

The chief technology officer (CTO) for the state of Utah resigned following a breach that violated the medical privacy of 780,000 Medicaid recipients and participants in the Children’s Health Insurance Program.

The Governor asked the CTO to resign and stepped down. He also announced a replacement, former information technology director for the Department of Workforce Services.

"The people of Utah rightly believe that their government will protect them, their families and their personal data. As a state government, we failed to honor that commitment. - Utah Gov. Gary Herbert

In addition the Governor created a new post of health data security ombudsman. This ombudsman will oversee individual case management, credit counseling and public outreach.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Monday, May 21, 2012

Medicare patients in Idaho and Missouri had their patient records stolen by an employee of a large healthcare organization. The organization has notified only 68 patients believed to have had their identities stolen.

Disappointingly, "despite and exhaustive effort" it is unable to identify other patients who may be at risk. Unfortunately, the inability to identify patients affected by a breach is all too common because of the number of disparate medical systems involved and the lack of good data analytics.

For this reason hospitals are turning to Identity and Access Intelligence (IAI) solutions that can proactively identify breaches and inappropriate access that violates patient data privacy, even by authorized employees. Such IAI services can quickly and easily identify all the patients affected.

"A former employee, during the course of his employment, may have accessed information in a database in a way that was inconsistent with his job duties." - Company Press Release

NOTE: This healthcare organization had a previous breach by an employee involving over 150 students at the University of California, Irvine. The insider stole tax rebates by filling false tax returns in the names of the student using information stolen from the patient records.

Download a white paper on patient privacy breach detection. Learn how to IAI proactively identifies unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sunday, May 20, 2012

A hospital's patient financial coordinator was arrested for inappropriately accessing patients' hospital records and using them to commit identity theft. 3,600 patients were notified by the hospital and the hospital is paying for one year of credit monitoring.

The scam that led to their arrest involved setting up electrical service for their apartment using a patient's information and sending the bills to yet another person's addresses. When the bills were not paid for 4 months the electricity company would close down the account and go after the patient for non-payment. The hospital employee would then repeat the fraud by opening a new account with a different patient's information.

"We are saddened and disappointed that this former employee appears to have chosen to violate both our trust and that of our patients." - Hospital president and CEO

Of course, once the electric utility got the police involved the entire scheme quickly fell apart since the perpetrators were living at the address getting the electricity. Duh? The police then determined that the only similarity between all the victims was that they were patients at the same hospital. At which point the police contacted the hospital.

Unfortunately the traditional hospital response of additional training to reenforce the importance of safeguarding patient information is likely to have little effect on staff with criminal intentions.

Moreover, it is not realistic to prevent employees in the finance department from viewing sensitive patient financial information as they need access to insurance numbers and the like to do their job.

For this reason hospitals are turning to Identity and Access Intelligence solutions that can proactively identify inappropriate access that violates patient data privacy, even by authorized employees.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

The Bloomberg article points out 10 ways your medical data privacy can be breached, here is just one:

"The staffs at hospitals and the doctor's office aren't always looking out for your best interests. Employees have been caught using patient information to file bogus medical claims and tax returns, create "ghost" employees, sell to gang members and pry into the lives of celebrities.." - Bloomberg

Bloomberg points out that medical providers are breached more than other types of organizations, including retailers and the government. In fact the Privacy Rights Clearinghouse, a nonprofit consumer rights group, has documented 690 breaches medical providers since 2005. That involves a total of 23 million medical records.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Friday, May 18, 2012

Over 1,000 government employees have been disciplined for ’snooping’ on private citizens’ medical and social security data for over 2 years in UK government's applications and databases.

All of these employees had been given authorized access to the sensitive personal data only after passing a lengthy vetting process. But they went beyond the boundaries of their job and made “unauthorised disclosures of official, sensitive, private and/or personal information”.

"Just about anyone with access to a wealth of personally identifiable information has the opportunity to make a lot of money selling that data on the black markets."

Extremely sensitive medical and personal data at both the UK’s Department for Work and Pensions and The Department for Health were the targets of the unauthorized access.

The UK Data Protection Act makes it a crime to obtain or disclose personal data without permission or procure disclosure to other persons. The penalties for a criminal offense are unlimited fine in a higher Crown court and limited to £5,000 ($7,900) in a lower magistrates court.

Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.

Thursday, May 17, 2012

Criminals stole tax refunds by filing false tax returns using information stolen from medical records at a Houston area hospital.

The hospital confirmed an employee had inappropriately accessed 741 patients' medical records. The employee was subsequently terminated for unrelated reasons and the hospital did not know about his violation of patient privacy until notified by the police.

"At the time of the employee’s termination, it was unknown by [the] Hospital that the employee had engaged in the unauthorized release of patients’ protected information. The hospital was alerted about this occurrence by the police authority." - Hospital Chief Compliance Officer

The employee was an intake coordinator who misused her legitimate access to patients’ personal information inappropriately between March 15 to Aug. 18, 2011. The hospital only learned of the medical data theft 7 months later in April, 2012.

The type of information in the possession of the former employee includes forms with personal information such as name, address, date of birth and social security number along with insurance information.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Not-for-profit hospitals ranked investing in health IT as their top capital spending priority, according to a survey conducted by Fitch Ratings.

On a scale of one to five, with one being of the greatest importance and five being of the least importance, investments in IT were of the greatest importance with an average rating of 1.7.

"Expanded IT capabilities are a key cornerstone of healthcare reform...[and]... IT is expected to help hospitals decrease costs.." - Fitch Rating

Make sure you healthcare IT is not being used inappropriately. Learn about patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy - with no hardware and no on-site software.

Wednesday, May 16, 2012

A hospital employee was charged with identity theft for paying her bills with data stolen from hospital patients. The Chicago resident is charged with 1 charge each of aggravated identity theft and identity theft and faces up to 7 years in prison.

Police say that all victims had been patients at the hospital and that the suspect had opened electric, gas or telephone service in the victim's names. The employee had been with the hospital for 4 years when municipal utility officials reported “suspicious credit card activity” involving her water bill payments.

"An employee of a Chicago hospital has been charged with using the personal information of patients, some of them being treated for cancer, to pay personal bills." - Office of Cook County State’s Attorney Anita Alvarez

Working with the credit card company the police determined that the credit cards transactions had originated at her home or a laboratory at the Chicago hospital. The resulting search of the suspects home yielded credit card numbers, Social Security numbers, and birth dates of more than 50 patients.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Tuesday, May 15, 2012

A hospital employee violated patient privacy by inappropriately looking at their medical records while they were at Kingston, New York medical facilities.

The hospitals would not reveal how many patients had their medical privacy violated by the employee.

"We take privacy and security of your personal medical information very seriously, and we apologize this situation. We will continue to maintain a high level of vigilance over our patients’ personal information." - notification letter from hospital

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sunday, May 13, 2012

7 hospital employees were fired for looking at the medical records of patients not under their care. The 7 succumbed to their curiosity about a severely overweight patient.

Unfortunately the patient was so disturbed by this violation of her privacy that she is now reluctant to seek treatment at the hospital. The hospital's vice-president publicly condemned the employees' behavior and says such abuses are rare.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Tuesday, May 8, 2012

Veriphyr, a leading provider of identity and access intelligence (IAI), today announced that it has donated its patient privacy breach detection service to Gillette Children’s Specialty Healthcare in partnership with Children’s Miracle Network Hospitals (CMNH). The Veriphyr service protects patients’ personal health information (PHI) by detecting inappropriate access by hospital employees and other insiders. Veriphyr applies “big data” analytics to identify potential privacy and regulatory compliance violations, as well as data breaches.

“We are excited that our affiliation with Children's Miracle Network Hospitals has resulted in this generous donation from Veriphyr and we look forward to partnering with them on access control efforts going forward,” Paul Higby, Change Management and IS Security for Gillette Children’s Specialty Healthcare.
Gillette Children’s Specialty Healthcare is an independent, not-for-profit hospital located in St. Paul, Minnesota, with clinics in Duluth, Burnsville, Maple Grove, Minnetonka, and services for adult patients at their St. Paul - Phalen Clinic. Gillette is uniquely focused on treating children with disabilities and complex medical conditions.

"Every child deserves to have their medical privacy protected. We are pleased to be able to donate Veriphyr services to Gillette Children’s Specialty Healthcare through our partnership with Children’s Miracle Network Hospitals."
- Alan Norquist, CEO of Veriphyr

The Veriphyr solution, delivered as a secure cloud service, delivers reports on privacy breaches and inappropriate access to patient data in all EMR, clinical, or business applications within days, not months. It requires no changes to a hospital’s IT infrastructure and no on-site software or hardware.

"The Veriphyr service helps healthcare organizations identify privacy and security problems that could result in identity theft or a loss of medical privacy."
- Clark Sweat, Chief of Corporate Partnerships for Children’s Miracle Network Hospitals

“We are extremely pleased Veriphyr has joined our cause to help deserving institutions like Gillette Children’s Specialty Healthcare,” said Clark Sweat, Chief of Corporate Partnerships for Children’s Miracle Network Hospitals.
About Gillette Children’s Specialty Healthcare
Gillette, an independent, not-for-profit hospital and clinics, is internationally recognized for its work in the diagnosis and treatment of children and young adults who have disabilities or complex medical needs. Gillette’s mission is to help children, adults and their families improve their health, achieve greater well-being, and enjoy life. For more, visit www.gillettechildrens.org.
About Children’s Miracle Network Hospitals (CMNH)
Children’s Miracle Network Hospitals (CMNH) is a non-profit organization that raises funds for children’s hospitals, which in turn, uses the funds how they are needed most. . CMNH has raised over US$4 billion which is distributed directly to a network of 170 hospitals across North America. www.childrensmiraclenetworkhospitals.org.
About Veriphyr
Veriphyr is a leading provider of Identity and Access Intelligence (IAI) that enables organizations to discover data privacy breaches and inappropriate access to data in applications, databases, and systems. Veriphyr uses data analytics to transform identity, rights, and activity data from commercial and custom applications into actionable intelligence for privacy, compliance, risk, and security management.
Editorial Contact:
Marc Gendron
Marc Gendron PR
781-237-0341
marc@mgpr.net
###
Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Tuesday, May 1, 2012

Interesting insight from a recent piece in Dark Reading on how insiders are the biggest risk related to id theft, especially in hospitals and other healthcare organizations.

"A majority of cases that we investigate end up being insiders rather than external hacking or anything of that nature." - Brian McGinley, senior vice president of data risk management for Identity Theft 911

"If we characterize a trend based on the breaches we've seen, it's probably been related to insiders being recruited or placed by organized fraud and ID theft rings. They're out to steal patient information, employee information and doctor information--all very rich fodder for identity theft."

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.